• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

Accessing external Hosted Exchange 2010 from within SBS2003R2 network (ISA2004)

Hi Guys,

I have an SBS2003R2 network with ISA2004 (dual port server, etc)
I'm moving our mail system to a hosted exchange setup external to the local network (all of the DNS is setup and the mailboxes work OK, no mx is pointing to the internal Exchange2003 box)
I have also removed the domains from the recipient policies.

OK I can connect to the hosted exchange server through RPC over http with a PC connected directly on the router (so on the external side of the SBS2003 box)

I can't connect a domain connected PC to the hosted Exchange2010 server using similar methods. What ports etc need opening through ISA2004 to do this please.

I have read that the IP of the remote exchange server needs to be added to the LAT for this but have not been able to verify or obtain any background on this.

Can anyone help please ????

Regards
0
TrevorWhite
Asked:
TrevorWhite
  • 7
  • 3
1 Solution
 
Suliman Abu KharroubIT Consultant Commented:
does you internal domain name is the same as your external doamin name ? for example mydomain..com
0
 
TrevorWhiteAuthor Commented:
Hi Sulimanw
No the internal domain is WhytecDomain.local external is Whytec.com
The SBS setup is pretty much OK (I manage a number of these for clients)
This is the first SBS where I have had to migrate SBS2003/EXCHANGE2003 to Hosted Exchange IE Exchange organisation is external to the local server.

Can I take it this is doable ???

Regards
0
 
TrevorWhiteAuthor Commented:
FIO,

Hosted Exchange is accessed by RPC/HTTP connection. I've been involved with this when accessing SBS Exchange mailboxes through externally connected internet PC's (IE inbound to to SBS box) but makiing an outbound RPS/HTTP connection to an external Exchange mailbox isn't really an SBS operation. Hence I'm stuck as I don't know what ports etc are required through the ISA2004 firewall.

Can anyone help tonight, I could do with getting this sorted asap.

Regards in advance

Trev
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
TrevorWhiteAuthor Commented:
Really could do with some help on this guys. I have spent the evening trawling the internet for some info but no conclusion. Small Bus server forum says this should be possible out of the box.

I have an outlook profile configured with the external exchange address (this was setup with the PC connected directly to the internet through router) all worked fine. As soon as I attache the same PC to the internal subnet (the SBS domain) I get 'Trying to connect to the exchange server' and ultimately 'Disconnected'

Tried this with the MS firewall client enabled and disabled, still the same.

Help, don't know how to proceed.

Regards
0
 
Suliman Abu KharroubIT Consultant Commented:
while directlly attached... right ctrl+right click on outlook icon on the notification area then connecion status --> how does it connect ? http or tcp ? if http/s then just make sure to create an access rule allowing http/s from internal to external.... if not yet.

another thing to check, from internal network. test dns:

cmd
nslookup
set q=mx
domain.com

does it return the  correct ip address ?

do you have a dns zone domain.com in your internal DNS server ?

while outlook trying to connect---> go to ISA monitor and set the filter to client IP address.. and see what is going on... which rule blocks the traffic.
0
 
TrevorWhiteAuthor Commented:
Hi SulimanW,
Thanks for the steering with this !!!
Direct connection is indeed HTTPS. I can access HTTPS sites from within the SBS domain (I do this regularly to access https://server.Customer.com/Exchange - which is a customers OWA service) I have also visited some HTTPS test sites.

The nslookup on ilsexc01.ilsexchange.infologicinternet.com gives 'Non-existent domain . . . this is the URL provided for entry in the Exchange server name. The server HTTPS address is exchange.infologicinternet.co.uk This gives :
Primary Name Server = ns1-hosts.srsplus.com
responsible mail addr = hostmaster.srsplus.com
serial = 1301396667
refresh 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)

I have looked in the DNS and not found a whytec.com domain zone. I don't recall setting up any split DNS setup in the past either.

Client IP is 192.168.3.19
I setup an ISA log filtered on 192.168.3.19 and the connection is indeed rejected on the HTTPS request. (217.19.243.23 443 HTTPS Denied Connection SBS Internet Access Rule 192.168.3.19)
I have attached the full log incase it is illuminating.

So why does the SBS Internet Access Rule reject an HTTPS connection attempt over 443 when other https traffic is passed. Is there a way forward to determine why the request fails ???

Regards




ISATMWCapture.txt
0
 
TrevorWhiteAuthor Commented:
Whoop, whoop !!!
All sorted after realisation that is really was a rule based issue in ISA2004.
I have added a new Internet Access rule to specifically pass HTTPS for all users to 217.19.243.23 from localhost and Internal network. Connections are now made and Outlook syncs up OK.

Would still like to know why this is necessary. Can you explain ???
Points are your of course, thanks so much for the pertinant comments and steers.

Regards
Trevor
0
 
Suliman Abu KharroubIT Consultant Commented:
You are welcome :) Glad to hear that..

I think blow is the cause:
Does the old rule have localhost in from tab ? if so, then you client is connected to the internet by using webproxy method... and in this case only rules which applied on the localhost will be applied on the clients.
0
 
TrevorWhiteAuthor Commented:
Ah yes I follow you.
Just checked the standard SBS rule and it is for 'All protected networks' so I guess 'local host' is some sort of exception to that even though it is part of the 'protected network' subnet.

So great work, Sulimanw. Thanks for your time and persistence with this I do appreciate it.

I'll close this up now and award the points, please do add anything that may be helpfull for others in the future though.

Regards
0
 
TrevorWhiteAuthor Commented:
One thing to come out of this for me is that 'localhost' is an exception to 'All protected networks'
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now